[sudo-users] tls +ldap + sudo = no go?
Natxo Asenjo
natxo.asenjo at gmail.com
Mon May 22 07:01:36 EDT 2006
On 5/22/06, Huibert.Kivits at mail.ing.nl <Huibert.Kivits at mail.ing.nl> wrote:
>
> Hi,
>
> When recommending to use "SSL for authentication and not for sudo", I was
> referring to Solaris and AIX. Both have their own LDAP client. We're
> currently not managing Linux machines yet, so we do not have experience with
> nss-ldap.
ok, that is clear. Thanks for your input.
The point I tried to make is that, at least in our situation, using SSL/TLS
> for sudo does not have much added value. When the sudo client retrieves
> information from the LDAP server, no user passwords are communicated over
> this sudo channel. Well, apart from the user you've configured to bind to
> the LDAP server of course, in your ldap.conf file.
right. The problem with nss-ldap is that it all works from that file. So if
I turn ssl/tls off there, anyone can sniff the passwords. It is a big no-no
here.
At least this is what I have experienced so far. If I am wrong, I'll be more
than happy to admit it.
[knip]
So, maybe sudo/ldap works with SSL/TLS. Or maybe not. But frankly, IMHO,
> from a security point of view, there is not much to gain from using sudo in
> combination with SSL/TLS.
well, in your environment no. In a openldap/nss-ldap linux environment
apparently yes, then.
--
Groeten,
J.Asenjo
More information about the sudo-users
mailing list